[Seaside] Security

Ross Boylan wrote:
> On Sun, 2009-05-03 at 12:42 -0600, Nevin Pratt wrote:
>>> For your app, I'd consider making your entire site use SSL, and I'd
>> consider requiring cookies. I'd also consider configuring Seaside for
>> using cookies for the session key, plus use a secondary cookie for
>> additional "branding" of your login/logout process.
>>> I think also I'd want to add the wrapper that only permits sessions to
> use the original IP address.
>> Are there any hidden problems that my turn up with clients that are
> NAT'd or using a proxy? I suppose a multi-homed client (more likely a
> proxy) might randomly start using a different IP address.
>> I wasn't familiar with branding, but with Google's help I understand.
> Thanks for mentioning it.
>> Thanks to everyone who responded.
>> Ross
>>
A few weeks ago when I was testing what you are suggesting (only permit
sessions to use the original IP address), I found (for example) the
following in my log file, all associated to the same session:
CurrentIP=205.188.116.142 LastIP=205.188.116.74
CurrentIP=205.188.116.16 LastIP=205.188.116.142
CurrentIP=205.188.116.73 LastIP=205.188.116.16
CurrentIP=205.188.117.11 LastIP=205.188.116.73
CurrentIP=205.188.116.72 LastIP=205.188.117.11
Look at the sequence, and you can see that somebody was changing their
IP with every request.
Now do a reverse IP lookup on any of those IP's, and what do you find?
205.188.116.142 resolves to
"cache-dtc-ac13.proxy.aol.com"
Top Level Domain: "aol.com"
So, I can confirm that AOL users will typically change their IP with
every request.
And, AOL isn't the only ISP I found that does this.
Yes, you certainly can use the wrapper that only permits sessions to use
the original IP address. But that will also *definitely* limit your
audience, of who can successfully use your website.
I definitely would *not* do that with an eCommerce site. I don't think
I'd do it with a banking site, either. But I *might* do it for a
specialized web app that I had complete control over the clients, though.
I personally think that the wrapper that ties the sessions to only their
original IP is a rather worthless wrapper for the vast majority of
Seaside apps. But their is a very small subset of apps that it is a
good idea for, and I think would work well for. I'm just not sure if
your app is one of those.
Nevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20090503/c76de803/attachment.htm